From: Amos Jeffries <squid3@treenet.co.nz>
Date: Sun, 16 Mar 2014 03:08:55 +0000 (+1200)
Subject: crypto-ng: use libnettle MD5 algorithm support
X-Git-Tag: SQUID_3_5_0_1~332
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=09cd7204cc0a1c80c40a9f1f7129053cc8e55c18;p=thirdparty%2Fsquid.git

crypto-ng: use libnettle MD5 algorithm support

Transitional patch detects libnettle when available and uses it without
yet forcing it as a required dependency.
---

diff --git a/configure.ac b/configure.ac
index 34880eb48b..2ce1b3809b 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1214,6 +1214,30 @@ SQUID_DEFINE_BOOL(USE_HTCP,${enable_htcp:=yes},
 AM_CONDITIONAL(ENABLE_HTCP, [test "x$enable_htcp" = "xyes"])
 AC_MSG_NOTICE([HTCP support enabled: $enable_htcp])
 
+# Cryptograhic libraries
+AC_ARG_WITH(nettle,
+  AS_HELP_STRING([--without-nettle],[Compile without the Nettle crypto library.]),[
+case "$with_nettle" in
+  yes|no)
+    : # Nothing special to do here
+    ;;
+  *)
+    if test ! -d "$withval" ; then
+      AC_MSG_ERROR([--with-nettle path does not point to a directory])
+    fi
+    NETTLELIBDIR="-L$with_nettle/lib"
+    CPPFLAGS="-I$with_nettle/include $CPPFLAGS"
+    with_nettle=yes
+  esac
+])
+if test "x$with_nettle" != "xno" ; then
+  AC_CHECK_LIB(nettle, nettle_md5_init,[
+    NETTLELIB="$NETTLELIBDIR -lnettle"
+    AC_CHECK_HEADERS(nettle/md5.h)
+  ],[with_nettle=no])
+fi
+AC_MSG_NOTICE([Using Nettle cryptographic library: ${with_nettle:=yes}])
+AC_SUBST(NETTLELIB)
 
 # SSL is not enabled by default.
 # Default is to use OpenSSL when available
@@ -1263,11 +1287,9 @@ case "$with_openssl" in
 ])
 SQUID_DEFINE_BOOL(USE_SSL,$enable_ssl,
    [Define this to include code for SSL gatewaying support])
-AC_MSG_NOTICE([Using OpenSSL MD5 implementation: ${with_openssl:=no}])
-SQUID_DEFINE_BOOL(USE_OPENSSL,${with_openssl},
-   [Define this to make use of the OpenSSL libraries for MD5 calculation rather than Squid-supplied MD5 implementation or if building with SSL encryption])
+AC_MSG_NOTICE([Using OpenSSL library: ${with_openssl:=no}])
 if test "x$enable_ssl" = "xyes"; then
-  if test "x$SSLLIB" = "x"; then
+  if test "x$SSLLIB" = "x" -a "x$with_nettle" = "xno"; then
     SSLLIB="-lcrypto" # for MD5 routines
   fi
   # This is a workaround for RedHat 9 brain damage..
diff --git a/helpers/basic_auth/NCSA/Makefile.am b/helpers/basic_auth/NCSA/Makefile.am
index 9586946fd1..8e00bcae66 100644
--- a/helpers/basic_auth/NCSA/Makefile.am
+++ b/helpers/basic_auth/NCSA/Makefile.am
@@ -8,6 +8,7 @@ LDADD = \
 	$(top_builddir)/lib/libmisccontainers.la \
 	$(top_builddir)/lib/libmiscencoding.la \
 	$(COMPAT_LIB) \
+	$(NETTLELIB) \
 	$(CRYPTLIB) \
 	$(SSLLIB) \
 	$(XTRA_LIBS)
diff --git a/helpers/basic_auth/RADIUS/Makefile.am b/helpers/basic_auth/RADIUS/Makefile.am
index 1133cafd31..db47241e92 100644
--- a/helpers/basic_auth/RADIUS/Makefile.am
+++ b/helpers/basic_auth/RADIUS/Makefile.am
@@ -15,5 +15,6 @@ basic_radius_auth_SOURCES = \
 basic_radius_auth_LDADD = \
 	$(top_builddir)/lib/libmiscencoding.la \
 	$(COMPAT_LIB) \
+	$(NETTLELIB) \
 	$(SSLLIB) \
 	$(XTRA_LIBS)
diff --git a/helpers/digest_auth/LDAP/Makefile.am b/helpers/digest_auth/LDAP/Makefile.am
index fe746c5b1f..0288bdfdf8 100644
--- a/helpers/digest_auth/LDAP/Makefile.am
+++ b/helpers/digest_auth/LDAP/Makefile.am
@@ -14,6 +14,7 @@ digest_ldap_auth_LDADD = \
 	$(COMPAT_LIB) \
 	$(LDAPLIB) \
 	$(LBERLIB) \
+	$(NETTLELIB) \
 	$(CRYPTLIB) \
 	$(SSLLIB) \
 	$(XTRA_LIBS)
diff --git a/helpers/digest_auth/file/Makefile.am b/helpers/digest_auth/file/Makefile.am
index dd12852063..dd379cd5a6 100644
--- a/helpers/digest_auth/file/Makefile.am
+++ b/helpers/digest_auth/file/Makefile.am
@@ -14,6 +14,7 @@ LDADD = \
 	$(top_builddir)/lib/libmisccontainers.la \
 	$(top_builddir)/lib/libmiscencoding.la \
 	$(COMPAT_LIB) \
+	$(NETTLELIB) \
 	$(CRYPTLIB) \
 	$(SSLLIB) \
 	$(XTRA_LIBS)
diff --git a/helpers/negotiate_auth/kerberos/Makefile.am b/helpers/negotiate_auth/kerberos/Makefile.am
index 633803840e..bf7a1f9999 100644
--- a/helpers/negotiate_auth/kerberos/Makefile.am
+++ b/helpers/negotiate_auth/kerberos/Makefile.am
@@ -12,6 +12,7 @@ negotiate_kerberos_auth_LDFLAGS =
 negotiate_kerberos_auth_LDADD = \
 	$(top_builddir)/lib/libmiscencoding.la \
 	$(COMPAT_LIB) \
+	$(NETTLELIB) \
 	$(KRB5LIBS) \
 	$(XTRA_LIBS)
 
@@ -20,6 +21,7 @@ negotiate_kerberos_auth_test_LDFLAGS =
 negotiate_kerberos_auth_test_LDADD = \
 	$(top_builddir)/lib/libmiscencoding.la \
 	$(COMPAT_LIB) \
+	$(NETTLELIB) \
 	$(KRB5LIBS) \
 	$(XTRA_LIBS)
 
diff --git a/helpers/negotiate_auth/wrapper/Makefile.am b/helpers/negotiate_auth/wrapper/Makefile.am
index 870edbe455..cd6666d6fa 100644
--- a/helpers/negotiate_auth/wrapper/Makefile.am
+++ b/helpers/negotiate_auth/wrapper/Makefile.am
@@ -8,4 +8,5 @@ negotiate_wrapper_auth_SOURCES = negotiate_wrapper.cc
 negotiate_wrapper_auth_LDADD = \
 	$(top_builddir)/lib/libmiscencoding.la \
 	$(COMPAT_LIB) \
+	$(NETTLELIB) \
 	$(XTRA_LIBS)
diff --git a/helpers/ntlm_auth/fake/Makefile.am b/helpers/ntlm_auth/fake/Makefile.am
index 804e633753..faaa636f39 100644
--- a/helpers/ntlm_auth/fake/Makefile.am
+++ b/helpers/ntlm_auth/fake/Makefile.am
@@ -7,6 +7,7 @@ ntlm_fake_auth_LDADD = \
 	$(top_builddir)/lib/ntlmauth/libntlmauth.la \
 	$(top_builddir)/lib/libmiscencoding.la \
 	$(COMPAT_LIB) \
+	$(NETTLELIB) \
 	$(CRYPTLIB) \
 	$(XTRA_LIBS)
 
diff --git a/helpers/ntlm_auth/smb_lm/Makefile.am b/helpers/ntlm_auth/smb_lm/Makefile.am
index dd0b5fccf0..5560c49a5f 100644
--- a/helpers/ntlm_auth/smb_lm/Makefile.am
+++ b/helpers/ntlm_auth/smb_lm/Makefile.am
@@ -9,6 +9,7 @@ ntlm_smb_lm_auth_LDADD = \
 	$(top_builddir)/lib/ntlmauth/libntlmauth.la \
 	$(top_builddir)/lib/libmiscencoding.la \
 	$(COMPAT_LIB) \
+	$(NETTLELIB) \
 	$(CRYPTLIB) \
 	$(XTRA_LIBS)
 
diff --git a/include/md5.h b/include/md5.h
index cedcbf1b43..4bc5e69197 100644
--- a/include/md5.h
+++ b/include/md5.h
@@ -1,6 +1,18 @@
 #ifndef SQUID_MD5_H
 #define SQUID_MD5_H
 
+#if HAVE_NETTLE_MD5_H
+#include <nettle/md5.h>
+
+typedef struct md5_ctx SquidMD5_CTX;
+
+#define SquidMD5Init(c)       md5_init((c))
+#define SquidMD5Update(c,b,l) md5_update((c), (l), (const uint8_t *)(b))
+#define SquidMD5Final(d,c)    md5_digest((c), MD5_DIGEST_SIZE, (uint8_t *)(d))
+
+#define SQUID_MD5_DIGEST_LENGTH MD5_DIGEST_SIZE
+
+#else
 /*
  * This is the header file for the MD5 message-digest algorithm.
  * The algorithm is due to Ron Rivest.  This code was
@@ -45,4 +57,6 @@ SQUIDCEXTERN void SquidMD5Transform(uint32_t buf[4], uint32_t const in[16]);
 
 #define SQUID_MD5_DIGEST_LENGTH         16
 
+#endif /* HAVE_NETTLE_MD5_H */
+
 #endif /* SQUID_MD5_H */
diff --git a/lib/md5.c b/lib/md5.c
index 2985473d81..c89e042571 100644
--- a/lib/md5.c
+++ b/lib/md5.c
@@ -32,6 +32,8 @@
 #include "squid.h"
 #include "md5.h"
 
+#if !HAVE_NETTLE_MD5_H
+
 #if HAVE_STRING_H
 #include <string.h>		/* for memcpy() */
 #endif
@@ -252,3 +254,4 @@ SquidMD5Transform(uint32_t buf[4], uint32_t const in[16])
 }
 
 #endif /* !ASM_MD5 */
+#endif /* HAVE_ETTLE_MD5_H */
diff --git a/src/Makefile.am b/src/Makefile.am
index c0568c1ead..8ceb54937a 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -639,6 +639,7 @@ squid_LDADD = \
 	$(DISK_LINKOBJS) \
 	$(REPL_OBJS) \
 	$(DISK_OS_LIBS) \
+	$(NETTLELIB) \
 	$(CRYPTLIB) \
 	$(REGEXLIB) \
 	$(ADAPTATION_LIBS) \
@@ -760,6 +761,7 @@ ufsdump_LDADD = \
 	mgr/libmgr.la \
 	$(XTRA_OBJS) \
 	$(REPL_OBJS) \
+	$(NETTLELIB) \
 	$(CRYPTLIB) \
 	$(REGEXLIB) \
 	$(SSLLIB) \
@@ -1209,6 +1211,7 @@ tests_testHttpReply_LDADD=\
 	$(top_builddir)/lib/libmiscutil.la \
 	$(SQUID_CPPUNIT_LIBS) \
 	$(SQUID_CPPUNIT_LA) \
+	$(NETTLELIB) \
 	$(SSLLIB) \
 	$(COMPAT_LIB) \
 	$(XTRA_LIBS)
@@ -1348,6 +1351,7 @@ tests_testACLMaxUserIP_LDADD= \
 	$(top_builddir)/lib/libmiscencoding.la \
 	$(top_builddir)/lib/libmiscutil.la \
 	$(DISK_OS_LIBS) \
+	$(NETTLELIB) \
 	$(REGEXLIB) \
 	$(SQUID_CPPUNIT_LIBS) \
 	$(SSLLIB) \
@@ -1610,6 +1614,7 @@ tests_testCacheManager_LDADD = \
 	$(top_builddir)/lib/libmisccontainers.la \
 	$(top_builddir)/lib/libmiscencoding.la \
 	$(top_builddir)/lib/libmiscutil.la \
+	$(NETTLELIB) \
 	$(REGEXLIB) \
 	$(SQUID_CPPUNIT_LIBS) \
 	$(SQUID_CPPUNIT_LA) \
@@ -1791,6 +1796,7 @@ tests_testDiskIO_LDADD = \
 	$(top_builddir)/lib/libmisccontainers.la \
 	$(top_builddir)/lib/libmiscencoding.la \
 	$(top_builddir)/lib/libmiscutil.la \
+	$(NETTLELIB) \
 	$(REGEXLIB) \
 	$(SQUID_CPPUNIT_LIBS) \
 	$(SSLLIB) \
@@ -2038,6 +2044,7 @@ tests_testEvent_LDADD = \
 	ipc/libipc.la \
 	mgr/libmgr.la \
 	$(SNMP_LIBS) \
+	$(NETTLELIB) \
 	$(REGEXLIB) \
 	$(SQUID_CPPUNIT_LIBS) \
 	$(SQUID_CPPUNIT_LA) \
@@ -2285,6 +2292,7 @@ tests_testEventLoop_LDADD = \
 	ipc/libipc.la \
 	mgr/libmgr.la \
 	$(SNMP_LIBS) \
+	$(NETTLELIB) \
 	$(REGEXLIB) \
 	$(SQUID_CPPUNIT_LIBS) \
 	$(SQUID_CPPUNIT_LA) \
@@ -2525,6 +2533,7 @@ tests_test_http_range_LDADD = \
 	$(top_builddir)/lib/libmisccontainers.la \
 	$(top_builddir)/lib/libmiscencoding.la \
 	$(top_builddir)/lib/libmiscutil.la \
+	$(NETTLELIB) \
 	$(REGEXLIB) \
 	$(SQUID_CPPUNIT_LIBS) \
 	$(SQUID_CPPUNIT_LA) \
@@ -2813,6 +2822,7 @@ tests_testHttpRequest_LDADD = \
 	$(top_builddir)/lib/libmiscencoding.la \
 	$(top_builddir)/lib/libmiscutil.la \
 	$(DISK_OS_LIBS) \
+	$(NETTLELIB) \
 	$(REGEXLIB) \
 	$(SQUID_CPPUNIT_LIBS) \
 	$(SQUID_CPPUNIT_LA) \
@@ -2987,6 +2997,7 @@ tests_testStore_LDADD= \
 	$(top_builddir)/lib/libmisccontainers.la \
 	$(top_builddir)/lib/libmiscencoding.la \
 	$(top_builddir)/lib/libmiscutil.la \
+	$(NETTLELIB) \
 	$(REGEXLIB) \
 	$(SQUID_CPPUNIT_LIBS) \
 	$(SSLLIB) \
@@ -3225,6 +3236,7 @@ tests_testUfs_LDADD = \
 	$(top_builddir)/lib/libmisccontainers.la \
 	$(top_builddir)/lib/libmiscencoding.la \
 	$(top_builddir)/lib/libmiscutil.la \
+	$(NETTLELIB) \
 	$(REGEXLIB) \
 	$(SQUID_CPPUNIT_LIBS) \
 	$(SSLLIB) \
@@ -3403,6 +3415,7 @@ tests_testRock_LDADD = \
 	$(top_builddir)/lib/libmisccontainers.la \
 	$(top_builddir)/lib/libmiscencoding.la \
 	$(top_builddir)/lib/libmiscutil.la \
+	$(NETTLELIB) \
 	$(REGEXLIB) \
 	$(SQUID_CPPUNIT_LIBS) \
 	$(SSLLIB) \
@@ -3648,6 +3661,7 @@ tests_testURL_LDADD = \
 	$(top_builddir)/lib/libmisccontainers.la \
 	$(top_builddir)/lib/libmiscencoding.la \
 	$(top_builddir)/lib/libmiscutil.la \
+	$(NETTLELIB) \
 	$(COMPAT_LIB) \
 	$(SQUID_CPPUNIT_LIBS) \
 	$(SQUID_CPPUNIT_LA) \
diff --git a/src/wccp2.cc b/src/wccp2.cc
index c2f9e96419..42854ce8e7 100644
--- a/src/wccp2.cc
+++ b/src/wccp2.cc
@@ -67,7 +67,7 @@ static EVH wccp2AssignBuckets;
 #define WCCP2_MASK_ASSIGNMENT		0x01
 
 #define	WCCP2_NONE_SECURITY_LEN	0
-#define	WCCP2_MD5_SECURITY_LEN	16
+#define	WCCP2_MD5_SECURITY_LEN	SQUID_MD5_DIGEST_LENGTH // 16
 
 /* Useful defines */
 #define	WCCP2_NUMPORTS	8
@@ -573,7 +573,7 @@ wccp2_get_service_by_id(int service, int service_id) {
 static char
 wccp2_update_md5_security(char *password, char *ptr, char *packet, int len)
 {
-    uint8_t md5_digest[16];
+    uint8_t md5Digest[SQUID_MD5_DIGEST_LENGTH];
     char pwd[WCCP2_PASSWORD_LEN];
     SquidMD5_CTX M;
 
@@ -601,7 +601,7 @@ wccp2_update_md5_security(char *password, char *ptr, char *packet, int len)
      * including the WCCP message header. The WCCP security implementation
      * area should be zero'ed before calculating the MD5 hash.
      */
-    /* XXX eventually we should be able to kill md5_digest and blit it directly in */
+    /* XXX eventually we should be able to kill md5Digest and blit it directly in */
     memset(ws->security_implementation, 0, sizeof(ws->security_implementation));
 
     SquidMD5Init(&M);
@@ -610,9 +610,9 @@ wccp2_update_md5_security(char *password, char *ptr, char *packet, int len)
 
     SquidMD5Update(&M, packet, len);
 
-    SquidMD5Final(md5_digest, &M);
+    SquidMD5Final(md5Digest, &M);
 
-    memcpy(ws->security_implementation, md5_digest, sizeof(md5_digest));
+    memcpy(ws->security_implementation, md5Digest, sizeof(md5Digest));
 
     /* Finished! */
     return 1;
@@ -627,7 +627,7 @@ wccp2_check_security(struct wccp2_service_list_t *srv, char *security, char *pac
 {
 
     struct wccp2_security_md5_t *ws = (struct wccp2_security_md5_t *) security;
-    uint8_t md5_digest[16], md5_challenge[16];
+    uint8_t md5Digest[SQUID_MD5_DIGEST_LENGTH], md5_challenge[SQUID_MD5_DIGEST_LENGTH];
     char pwd[WCCP2_PASSWORD_LEN];
     SquidMD5_CTX M;
 
@@ -655,7 +655,7 @@ wccp2_check_security(struct wccp2_service_list_t *srv, char *security, char *pac
     pwd[sizeof(pwd) - 1] = '\0';
 
     /* Take a copy of the challenge: we need to NUL it before comparing */
-    memcpy(md5_challenge, ws->security_implementation, 16);
+    memcpy(md5_challenge, ws->security_implementation, sizeof(md5_challenge));
 
     memset(ws->security_implementation, 0, sizeof(ws->security_implementation));
 
@@ -665,9 +665,9 @@ wccp2_check_security(struct wccp2_service_list_t *srv, char *security, char *pac
 
     SquidMD5Update(&M, packet, len);
 
-    SquidMD5Final(md5_digest, &M);
+    SquidMD5Final(md5Digest, &M);
 
-    return (memcmp(md5_digest, md5_challenge, 16) == 0);
+    return (memcmp(md5Digest, md5_challenge, SQUID_MD5_DIGEST_LENGTH) == 0);
 }
 
 void
diff --git a/tools/Makefile.am b/tools/Makefile.am
index 8bdd011065..18da335213 100644
--- a/tools/Makefile.am
+++ b/tools/Makefile.am
@@ -21,6 +21,7 @@ LDADD = \
 	$(top_builddir)/lib/libmiscencoding.la \
 	$(top_builddir)/lib/libmiscutil.la \
 	$(COMPAT_LIB) \
+	$(NETTLELIB) \
 	$(KRB5LIBS) \
 	$(XTRA_LIBS)
 
diff --git a/tools/squidclient/Makefile.am b/tools/squidclient/Makefile.am
index 2bcfa8ab20..150613288d 100644
--- a/tools/squidclient/Makefile.am
+++ b/tools/squidclient/Makefile.am
@@ -12,6 +12,7 @@ LDADD = \
 	$(top_builddir)/lib/libmiscencoding.la \
 	$(top_builddir)/lib/libmiscutil.la \
 	$(COMPAT_LIB) \
+	$(NETTLELIB) \
 	$(KRB5LIBS) \
 	$(XTRA_LIBS)